Re: sntrup761 key size

To: Simon Tatham <anakin%pobox.com@localhost>
Subject: Re: sntrup761 key size
From: Niels Möller <nisse%lysator.liu.se@localhost>
Date: Tue, 14 Apr 2026 16:18:51 +0200

Simon Tatham <anakin%pobox.com@localhost> writes:

> That hash is mentioned at the top of page 20 of the document you cite:
>
>   *Key-hash caching.* Caching Hash_4(_K_) saves time when K is reused in
>   encapsulation or decapsulation. We cache Hash_4(_K_) at the end of
>   secret keys.

Thanks, I had missed that.

> But in the SSH usage of NTRU Prime (and indeed all other PQ KEMs so
> far), there's no real need to use the prescribed byte encoding of secret
> keys in any case, since a key pair is generated, used for one exchange
> and discarded all within the same process,

Ah, in SSH the more expensive operations (key generation and
decapsulation) are done by the client, while the server only needs to do
the comparatively cheaper encapsulation operation.

(If it was the other way around, it would make sense for the server to
either use a long-term key, or at least cache and reuse a generated
ephemeral keypair for some time).

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.

References:
- sntrup761 key size
  - From: Niels Möller
- Re: sntrup761 key size
  - From: Simon Tatham

Prev by Date: Re: sntrup761 key size
Previous by Thread: Re: sntrup761 key size
Indexes:

Home | Main Index | Thread Index | Old Index